Panel plans to beef up Computer Security Act

Calling the lack of computer security in the federal government "a national crisis " Rep. Constance Morella (R-Md.) announced last week that the House Science Committee plans to introduce a bill this month to strengthen the 10-year-old Computer Security Act. Designed to establish minimum security standards for guarding federal systems the act required the National Institute of Standards and Technology to develop security and privacy standards and to ensure the standards' cost-effectiveness. It also required agencies to form security plans and provide mandatory security training for personnel.

Although work on the new legislation is not yet complete Morella said the proposed bill would strengthen NIST's traditional role in computer security and address the lack of information technology security in educational programs nationwide. It has "total bipartisan support " she said including that of Rep. George Brown of California the ranking Democrat on the Science Committee.

"It really is a national crisis " Morella said. "It threatens our national security.... Federal systems and data are not being adequately protected. The enormity of this issue is self-evident."

Underscoring the need to beef up the federal systems security Morella cited a September 1996 General Accounting Office study that concluded that 10 of the 15 largest federal agencies have serious information security weaknesses some of which have existed for years. Morella was speaking at a meeting of the NIST Computer Systems Security and Privacy Advisory Board which approved a resolution late last week that advises NIST to elevate its commitment to the Computer Security Act. According to the resolution NIST should:

* Act as a central service within the federal government to advise on the selection integration and use of products for securing nonclassified systems.

* Provide a computer systems security assessment capability for civilian agencies.

* Maintain a registry of security and privacy incidents and solutions suggest corrective actions to remedy computer security vulnerabilities.

Lynn McNulty former associate director for computer security at NIST and now the director of government affairs for RSA Data Security Inc. characterized the existing legislation as a "toothless tiger" because it does not require agencies to comply with the security plans submitted shortly after its passage in 1987. The act required agencies to identify all systems containing sensitive information and to establish a security plan to protect those systems. The legislation however does not define any agency requirements for specific system security.

"[NIST is] not perceived as being very active or very visible particularly to the federal user community " he said.

Board member Joseph Leo deputy administrator for management for the Agriculture Department's Food and Consumer Service said "I've yet to have the implementation vision with regard to [the Office of Management and Budget] or the Hill." "Until NIST gets a vision of really wanting to come in and help me I'm probably not going to warm up to it."


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.